Aug 13, 2009

I recently had a hard way understanding Http authentication particularly involving redirect. After googling and conversing with a good friend, Alan, here is the picture on what will happen when server A (or browser)makes a http request to server B which redirects to server C:

Why auth handshake always happen even if the credential is set? This is by design, because Httprequest clients have no idea what auth schema the remote server is using. You can avoid first auth handshake by manually setting HttpRequest's header, like: req.Headers.Add("Authorization", "basic " + base64); But this needs to be done every time even for same Uri-Pref. Generally allowing handshake and setting PreAuthentication=true is better. See this post for details.

When making HttpRequest, HttpRequest object need to have a CookierContainer, which will be used by HttpResponse to fill in. It doesn't do anything with authentication though.

Another thing related is, in case of impersonating, Kerberos (both authentication and delegation) is required in order to forward default credentials (double hoppings).

About Me

I am a SharePoint consultant, specializing on sharepoint security, farm architecture, search integration and customization. During spare time, I play basketball,while waiting for Heat to regain NBA Title, Redskins to win NFC East again, and Gamecocks to be convered in National TVs. Spending too much time on Captial BeltWay I only enjoy listening Leona Lewis. With my two wonderful kids, We have lots of fun together!